Reference: Anti-malware settings

When you create an Anti-Malware policy, you can add settings to control the user experience. These settings apply to both System Center Endpoint Protection (SCEP) and Windows Defender Antivirus unless they are labeled (SCEP only) or (Defender only).

Client Interface

Display additional text to clients when they need to perform an action

Set a custom message to display to users when they need to perform an action. The string must be less than 1024 characters.

Example: Contact our company help desk at 555-1212 for more help.

Display notifications to clients when they need to perform actions

Configure whether to display notifications to users when they need to perform an action.

Enable or do not configure this setting to display notifications to users when they need to perform an action.

Disable this setting to prevent notifications from being displayed to users.

Enable headless UI mode

Configure whether the Windows anti-malware user interface displays to users.

Enable this setting to hide the Windows anti-malware user interface from users.

Disable or do not configure this setting to show the Windows anti-malware user interface to users.

Suppresses reboot notifications

Configure whether reboot notifications display to users.

Enable this setting to suppress reboot notifications.

Disable or do not configure this setting to display reboot notifications to users.

Exclusions

Extension Exclusions

Specify file extensions to exclude from scanning.

Example: obj

IP address range Exclusions

Specify IP addresses to exclude from network scanning.

Example: 157.1.45.123-60.1.1.1

Path Exclusions

Specify file paths to exclude from scanning.

Example: C:\Program Files

Port number Exclusions

Specify TCP ports to exclude from network scanning.

Example: 17472

Process Exclusions

Specify a path to a process to exclude all files opened by that process from scanning. Each value must be a full path to a process. The process itself is still scanned.

Example: C:\Windows\Program.exe

Process Exclusions for outbound traffic

Specify a path to a process to exclude outbound traffic from that process from network scanning.

Example: C:\Windows\Program.exe

Threat ID Exclusions

Exclude specific threats from network scanning.

Example: 2925110632

Turn off Auto Exclusions (Defender Only)

Turn Automatic Exclusions on or off.

Enable this setting to turn off Automatic Exclusions.

Disable or do not configure this setting to turn on Automatic Exclusions.

MAPS

Configure local setting override for reporting to MAPS

Allow the local preference for joining the Microsoft Active Protection Service to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Join MAPS

Join the Microsoft Active Protection Service. Possible values are:

  • Disabled
  • Basic MAPS
  • Advanced MAPS

Send file samples when further analysis is required

Configure how samples are sent to the Microsoft Active Protection Service. Possible values are:

  • Always prompt
  • Send safe samples
  • Never send
  • Send all samples

Network Inspection System

Define the rate of detection events for logging

Control the time interval in minutes for logging of detection events. Each event is logged at most once per time interval.

Default value: 60

Specify additional definition sets for network traffic inspection

Specify additional definition sets to enable for network scanning. Each value must be a GUID of a definition set to enable.

Example: {b54b6ac9-a737-498e-9120-6616ad3bf590}

Turn on definition retirement

Control whether known network vulnerabilities are scanned for after they are patched.

Enable or do not configure this setting to stop checking for network vulnerabilities after they are patched.

Disable this setting to always check for known network vulnerabilities.

Turn on protocol recognition

Control whether network protocol recognition is used to protect against attacks from known vulnerabilities.

Enable or do not configure this setting to enable network protocol recognition.

Disable this setting to disable network protocol recognition.

Quarantine

Configure local setting override for the removal of items from Quarantine folder

Allow the local preference for the number of days to keep items in the quarantine folder to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure removal of items from Quarantine folder

Define the number of days that items are kept in the quarantine folder before they are removed. By default, items remain in the quarantine folder indefinitely.

Example: 30

Real-time Protection

Configure local setting override for monitoring file and program activity on your computer

Allow the local preference for file and program activity to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for monitoring for incoming and outgoing file activity

Allow the local preference for monitoring of incoming and outgoing file activity to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for scanning all downloaded files and attachments

Allow the local preference for scanning downloaded files and attachments to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for turn on behavior monitoring

Allow the local preference for behavior monitoring to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for turn on script scanning (SCEP Only)

Allow the local preference for script scanning to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override to turn off Intrusion Prevention System

Allow the local preference for network scanning to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override to turn on real-time protection

Allow the local preference for turning on real-time protection to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure monitoring for incoming and outgoing file and program activity

Configure whether incoming or outgoing files are scanned. On servers with heavy network traffic, disabling scanning for a particular direction can help to achieve optimal network performance. This setting is applicable only to NTFS volumes.

Define the maximum size of downloaded files and attachments to be scanned

Configure the maximum size of downloaded files and attachments to scan. The value is the maximum file size in kilobytes.

Example: 524288

Monitor file and program activity on your computer

Configure monitoring of file and program activity.

Enable or do not configure this setting to turn on monitoring of file and program activity.

Disable this setting to turn off monitoring of file and program activity.

Scan all downloaded files and attachments

Configure scanning of downloaded files and attachments.

Enable or do not configure this setting to scan all downloaded files and attachments.

Disable this setting to turn off scanning of downloaded files and attachments.

Turn off real-time protection

Configure whether users are prompted when known malware is detected.

Enable this setting to never prompt users to take action when malware is detected.

Disable or do not configure this setting to prompt users to take action when malware is detected.

Turn on behavior monitoring

Turn behavior monitoring on or off.

Enable or do not configure this setting to enable behavior monitoring.

Disable this setting to enable behavior monitoring.

Turn on Information Protection Control

Turn Information Protection Control on or off.

Enable this setting to turn on Information Protection Control.

Disable or do not configure this setting to turn off Information Protection Control.

Turn on network protection against exploits of known vulnerabilities

Configure network protection from known vulnerabilities.

Enable or do not configure this setting to turn on network protection.

Disable this setting to turn off network protection.

Turn on process scanning whenever real-time protection is enabled

Configure whether all processes are scanned when real-time protection is first turned on. This scan can detect malware that starts when real-time protection is off.

Enable or do not configure this setting to start a process scan when real-time protection is turned on.

Disable this setting to not start a process scan when real-time protection is turned on.

Turn on raw volume write notifications

Configure notifications of raw volume writes.

Enable or do not configure this setting to turn on raw write notifications.

Disable this setting to turn off raw write notifications.

Turn on script scanning (SCEP Only)

Configure script scanning.

Enable or do not configure this setting to enable script scanning.

Disable this setting to disable script scanning.

Remediation

Configure local setting override for the time of day to run a scheduled full scan to complete remediation

Allow the local preference for the scheduled scan time to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Specify the day of the week to run a scheduled full scan to complete remediation

Schedule the day of the week to perform a full scan.

Specify the time of day to run a scheduled full scan to complete remediation

Specify the time of day to perform a full scan. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.

Example: 180

Reporting

Configure time out for detections in critically failed state

Set the time in minutes for a "critically failed" detection to move to "additional action" or be "cleared."

Example: 7200

Configure time out for detections in non-critical failed state

Set the time in minutes to "clear" a "non-critically failed" detection.

Example: 7200

Configure time out for detections in recently remediated state

Sets the time in minutes to "clear" a "completed" detection.

Example: 7200

Configure time out for detections requiring additional action

Set the time in minutes to "clear" an "additional action."

Example: 7200

Configure Watson events (SCEP Only)

Use this policy setting to configure whether or not Watson events are sent. This value has been deprecated as of the February 2015 anti-malware platform update. For more information, see Microsoft: February 2015 anti-malware platform update for Endpoint Protection clients.

Configure Windows software trace preprocessor components

Configure the Windows software trace preprocessor.

Configure WPP tracing level

Configure tracing levels for the Windows software trace preprocessor (WPP Software Tracing). The allowed values are Error (1), Warning (2), Info (3), or Debug (4).

Example: 1

Scan

Allow users to pause scan

Allow users to pause a scan while it is in progress.

Enable or do not configure this setting to add a new context menu to the task tray icon that allows users to pause a scan.

Disable this setting to prevent users from pausing scans.

Check for the latest virus and spyware definitions before running a scheduled scan

Check for new virus and spyware definitions before running a scan. This setting does not apply to scans started manually from the user interface.

Enable to check for new definitions before running a scan.

Disable or do not configure this setting for scans to use existing definitions.

Configure local setting override for maximum percentage of CPU utilization

Allow the local preference for maximum CPU utilization to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for schedule scan day

Allow the local preference for the scheduled scan day to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for scheduled quick scan time

Allow the local preference for the scheduled quick scan time to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for scheduled scan time

Allow the local preference for the scheduled scan time to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Configure local setting override for the scan type to use for a scheduled scan

Allow the local preference for the scan type to use during a scheduled scan to override the group policy.

Enable this setting for the local preference to have precedence over the group policy.

Disable or do not configure this setting for the group policy to have precedence over the local preference.

Create a system restore point

Configure whether a daily system restore point is created on an endpoint before it is cleaned.

Enable this setting to create a system restore point before cleaning.

Disable or do not configure this setting to prevent a system restore point from being created.

Define the number of days after which a catch-up scan is forced (Defender Only)

Specify the number of consecutive scheduled scans that can be missed until a forced catch-up scan runs.

Example: 2

Default value: 2

Run full scan on mapped network drives

Configure whether mapped network drives are scanned.

Enable this setting to scan mapped network drives.

Disable or do not configure this setting to prevent scanning mapped network drives.

Scan archive files

Configure whether archive files are scanned. Archive files are ZIP or CAB files.

Enable or do not configure this setting to scan archive files.

Disable this setting to prevent scanning archive files.

Scan network files

Configure whether network files are scanned.

Enable this setting to scan network files.

Disable or do not configure this setting to prevent scanning network files.

Scan packed executables

Configure whether packed executables are scanned.

Enable or do not configure this setting to scan packed executables. For best results, use this setting.

Disable this setting to prevent scanning of packed executables.

Scan removable drives

Configure whether removable drives, such as USB flash drives, are scanned when running a full scan.

Enable this setting to scan removable drives during any type of scan.

Disable or do not configure this setting to prevent scanning of removable drives in full scans. Removable drives can still be scanned during quick scans and custom scans.

Specify the interval to run quick scans per day

Configure the quick scan interval in hours. The value 0 means that quick scans are never scheduled.

Example: 24

Default value: 0

Specify the maximum depth to scan archive files

Set the maximum directory depth that archive files are unpacked during scanning. Archive files are ZIP or CAB files.

Example: 1

Default value: 0

Specify the maximum percentage of CPU utilization during a scan

Set the maximum percentage CPU utilization allowed during a scan. Valid percentage values can range from 5 to 50. The value 0 means that there is no limit.

Example: 5

Default value: 50

Specify the maximum size of archive files to be scanned

Set the maximum size of archive files that are scanned. Archive files are ZIP or CAB files. The value is the number of kilobytes. The value 0 means that there is no size limit.

Example: 1048576

Default value: 0

Specify the scan type to use for a scheduled scan

Specify the scan type used during scheduled scans. By default, scheduled scans use quick scans.

Specify the time for a daily quick scan

Specify the time of day when a daily quick scan runs. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.

Example: 180

Default value: 120

Start the scheduled scan only when computer is on but not in use

Set whether scans begin only when the endpoint is idle.

Enable or do not configure this setting to start scans only when the endpoint is idle.

Disable to start scans at the scheduled time.

Turn on catch-up full scan

Configure whether to start a full scan if two consecutive scheduled scans are missed. The full scan starts the next time someone logs in after the scheduled scans are missed.

Enable this setting to turn on catch-up full scans.

Disable or do not configure this setting to turn off catch-up full scans.

Turn on catch-up quick scan

Configure whether to start a quick scan if two consecutive scheduled scans are missed. The quick scan starts the next time someone logs in after the scheduled scans are missed.

Enable this setting to turn on catch-up quick scans.

Disable or do not configure this setting to turn off catch-up quick scans.

Turn on e-mail scanning

Configure whether email and email attachments are scanned.

Enable this setting to turn on email scanning.

Disable or do not configure this setting to turn off email scanning.

Turn on heuristics

Heuristics improve the capability to flag new threats.

Enable or do not configure this setting to turn on heuristics. For best results, use this setting.

Disable this setting to turn off heuristics.

Turn on removal of items from scan history folder

Configure the number of days that items are kept in the scan history folder before being permanently removed. The value 0 means that items are never removed from the history folder.

Example: 7

Default: 30

Turn on reparse point scanning

Configure whether reparse points are scanned. Reparse points are followed to a maximum depth, so a recursive reparse point might slow down scanning, but it does not cause an error.

Enable this setting to scan reparse points.

Disable or do not configure this setting to prevent reparse point scanning.

Signature Updates

Allow definition updates from Microsoft Update

Enable definition updates to be downloaded from Microsoft Update even if Automatic Updates are configured to use a different download source.

Enable this setting to download definition updates from Microsoft Update.

Disable or do not configure this setting to download definition updates from the configured source.

Allow definition updates when running on battery power

Configure whether definitions are updated when an endpoint is running on battery power.

Enable or do not configure this setting to update definitions even when an endpoint is running on battery power.

Disable this setting to turn off definition updates when an endpoint is running on battery power.

Allow notifications to disable definitions based reports to MAPS

Enable receiving notifications from MAPS to disable definitions that are causing false positives. MAPS must be configured on an endpoint to successfully use this functionality.

Enable or do not configure this setting to receive notifications from MAPS to disable definitions that are causing false positives.

Disable this setting to turn off receiving notifications from MAPS to disable definitions.

Allow real-time definition updates based on reports to MAPS

Enable real-time definition updates if MAPS finds that the latest definition update has definitions for a threat involving an unknown file. MAPS must be configured on an endpoint to successfully use this functionality.

Enable or do not configure this setting to enable real-time definition updates.

Disable this setting to turn off real-time definition updates.

Check for the latest virus and spyware definitions on startup

Specify whether definition updates should be checked at service startup.

Enable this setting to check for definition updates at service startup.

Disable or do not configure this setting to prevent checking for definition updates at service startup.

Define file shares for downloading definition updates

Set UNC file shares for downloading definition updates. The file shares are tried in the specified order.

Example: \\corp\updates

Define the number of days after which a catch-up definition update is required

Specify the number of days that can pass before a forced catch-up definition update.

Example: 7

Default value: 1

Define the number of days before spyware definitions are considered out of date

Set the number of days that can pass before spyware definitions are considered out of date.

Example: 7

Default value: 14

Define the number of days before virus definitions are considered out of date

Set the number of days that can pass before virus definitions are considered out of date.

Example: 7

Default value: 14

Define the order of sources for downloading definition updates

Specify the order for definition update sources to be contacted. Possible values are:

  • Microsoft Update
  • Microsoft Malware Protection Center
  • Internal definition update server
  • File shares

Initiate definition update on startup

Configure whether definitions are updated on startup when there is no antimalware engine.

Enable or do not configure this setting to enable definition updates on startup when no antimalware engine is present.

Disable this setting to turn off definition updates when no antimalware engine is present.

Specify the day of the week to check for definition updates

Specify the day of the week to check for definition updates. By default, updates are checked every day.

Specify the interval to check for definition updates

Specify the definition update check interval in hours.

Example: 12

Specify the time to check for definition updates

Specify the time of day to check for definition updates. The value is the number of minutes past midnight in the local time for the endpoint to check for definition updates. By default, definition updates are checked 15 minutes before the scheduled scan time.

Example: 120

Turn on scan after signature update

Configure whether a scan should start after a definition update.

Enable or do not configure this setting to start a scan after a definition update.

Disable this setting to not start a scan after a definition update.

System Center Endpoint Protect

Turn on Potentially Unwanted Application (PUA) detection (SCEP Only)

Block PUAs from being downloaded through Internet Explorer, Firefox, and Chrome.

Disable or do not configure this setting to disable improved PUA detection.

Turn on threat file hash logging (SCEP Only)

Determines whether or not the file hash (SHA1) of any detected threat files is recorded in the event log for additional research and correlation with other threat streams. When a threat file is detected and hash logging is enabled, EventID 1120 is recorded in the system log.

Enable this setting for events to be recorded.

Disable or do not configure this setting for threat file hashes to not be recorded to the event log.

Turn on virus definitions (SCEP Only)

Manage virus definitions used during a scan.

Enable or do not configure this setting for virus definitions to be used during scans.

Disable this setting for virus definitions to not be used during scans.

Threats

Specify threat alert levels at which default action should not be taken when detected

Customize the remediation action to take for each threat alert level.

Possible values for threat alert levels are:

  • Low
  • Medium
  • High
  • Severe

Possible values for remediation actions are:

  • Quarantine
  • Remove
  • Ignore

Specify threats upon which default action should not be taken when detected

Customize the remediation action to take for each detected Threat ID. Possible values for remediation actions are:

  • Quarantine
  • Remove
  • Ignore

Windows Defender

Allow antimalware service to remain running always

Choose whether the Windows Anti-malware service keeps running when virus and spyware definitions are disabled.

Enable this setting to keep the Windows Anti-malware service running when virus and spyware definitions are disabled.

Disable or do not configure this setting to stop the Windows Anti-malware service when virus and spyware definitions are disabled.

Allow antimalware service to startup with normal priority

Modify the startup priority of the Windows Defender service. This might impact performance.

Enable or do not configure this setting to start the Windows Anti-malware service with normal priority.

Disable this setting to start the Windows Anti-malware service with low priority.

Configure local administrator merge behavior for lists

Control whether local preferences for exclusions and threats are merged with the group policy.

Enable or do not configure this setting to merge local preferences with the group policy. Group policy settings take precedence over local preferences.

Disable this setting to ignore local preferences.

Define addresses to bypass proxy server

Bypass the proxy for a specific IP address. The value must be a valid URL.

Define proxy server for connecting to the network

Configure a proxy to use for downloading definition updates or reporting events to MAPS. By default, the following settings are used in order:

  1. Internet Explorer proxy settings
  2. Auto-detect
  3. None

Randomize scheduled task times

Randomize the start time of scheduled tasks.

Enable or do not configure this setting for scheduled tasks to begin randomly within 30 minutes of their scheduled start time.

Disable this setting for scheduled tasks to begin at their scheduled start time.

Turn off routine remediation

Control whether Windows Anti-malware automatically remediates threats.

Enable this setting to prevent automatic remediation. Instead, users are prompted with a choice of actions to take.

Disable or do not configure this setting to automatically take action on all detected threats.

Turn off Windows Defender

Turn Windows Anti-malware on or off.

Enable this setting to turn off Windows Anti-malware.

Disable or do not configure this setting to turn on Windows Anti-malware.

Last updated: 11/19/2019 7:45 PM | Feedback